CVE-2026-48791: Sigstore Java has a vulnerability with bundle verification of integratedTime
Regression: Verification of integratedTime from Rekor V1 Log Entry against Fuclio Certificate validity was missing
References
- github.com/advisories/GHSA-qqw8-7c2r-jxch
- github.com/sigstore/sigstore-java/commit/4b7a49ebb1813f5b1ff113bcad63246358222d61
- github.com/sigstore/sigstore-java/commit/b529335728fc5cfb574161b4b3c06859a8a2aa88
- github.com/sigstore/sigstore-java/pull/1008
- github.com/sigstore/sigstore-java/pull/1185
- github.com/sigstore/sigstore-java/security/advisories/GHSA-qqw8-7c2r-jxch
- nvd.nist.gov/vuln/detail/CVE-2026-48791
Code Behaviors & Features
Detect and mitigate CVE-2026-48791 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →